11-24-2017 06:23 AM
Hi,
my customer would like to migrate from traditional licensing towards smart licensing. They want to use a proxy to have the ISE talking to the smart portal and want to configure this very resrective.
So the question here is: What exactly is the specific URL the ISE is talking to when using smart licensing?
Thanks in advance.
Roland
Solved! Go to Solution.
11-25-2017 03:37 PM
11-25-2017 03:37 PM
11-26-2017 02:15 PM
thanks for the link to the document. I had some issues getting ISE 2.3 patch 1 talking to Smart Licensing because my customer forces all internet traffic to go through an authenticated proxy. The tcpdump revealed that it was trying to talk to tools.cisco.com:443 - but it doesn't handle the proxy part at all (doesn't present the credentials). We are able to use the same proxy for the SMS gateway. I have a TAC case open for this.
Roland, I would be interested to know if you get it working through a proxy.
11-26-2017 02:48 PM
I found your TAC case. TAC is associating it with CSCvd93008 and checking with our engineering team.
06-14-2018 07:16 PM
Hi, just wondering if you finally got the proxy working for smart licensing? If so did it required a patch or did you have a workaround for it? Thank you.
06-14-2018 07:40 PM
Hello
We have it working now using the https proxy transport mode, but we had to make an exception on the proxy to not request authentication (because that's the issue with ISE - it will gladly use a proxy, but it doesn't remember to send the authentication credentials )
SO either you go https direct, or go https proxy, but with proxy whitelisting (just the IP's of the PAN nodes will do - we told them to whitelist those PAN IP's to go to tools.cisco.com).
There is a third option for Smart Licensing - use a Satellite Server on premise. We have that working in some cases too and it works. It means the ISE PANs talk to Satellite on prem and not to the internet. The Satellite server talks to internet.
But there is an issue with ISE 2.4 and those new VM licenses. If you happen to have purchased the more expensive license (like Medium_VM) but a node needs the Small_VM, then the Satellite server will tell you that your VM license is out of compliance. This is a bug because Cisco allows for License Substitution - and that DOES work if you go direct to tools.cisco.com.
Go figure.
06-14-2018 07:59 PM
Thank you very much for your reply. I see most people just go back to traditional licensing until the proxy issue has been fixed so really appreciate your perseverance with this.
06-08-2023 12:58 AM
Whether you go for direct https connection, or via the https proxy option, do you only need to open access to tools.cisco.com on port 443?
I saw another post where tools1.cisco.com and tools2.cisco.com were mentioned.
I also saw mention of www.cisco.com but based on port 80?
06-09-2023 10:14 AM
ISE 3.0 p7, 3.1 p5 and 3.2 or higher contact: smartreceiver.cisco.com
Lower ISE versions contact: tools.cisco.com, tools1.cisco.com, tools2.cisco.com
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide